This policy applies to all members of the UK Business College (“the College”). For the purposes of this policy, the term “Staff” means all members of the college staff including permanent, fixed term, and temporary staff, governors, secondees, any third party representatives, agency workers, volunteers, interns, agents and sponsors engaged with the
college in the UK or overseas. This policy also applies to all members of staff employed by any of the college’s subsidiary companies.
All contractors and agents acting for or on behalf of the college should be made aware of this policy.
This policy applies to all personal and sensitive personal data processed on computers and stored in manual (paper based) files. It aims to protect and promote the rights of individuals and the college.
Any information which relates to a living individual who can be identified from the information. It also extends to any information which may identify the individual.
Examples of personal data:
Any information relating to an individual’s:
The Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018.is designed to protect individuals and personal data, which is held and processed on their behalf. The Act defines the individual as the ‘data subject’ and their personal information as ‘data’. These are further defined as:
Any living individual who is the subject of personal data whether in a personal or business capacity
Any personal information which relates to a living individual who can be identified.
This includes any expression of opinion about the individual.
Data is information stored electronically i.e. on computer, including word processing documents, emails, computer records, CCTV images, microfilmed documents, backed up files or databases, faxes and information recorded on telephone logging systems.
Manual records which are structured, accessible and form part of a ‘relevant filing systems’ (filed by subject, reference, dividers or content), where individuals can be identified and personal data easily accessed without the need to trawl through a file.
The Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018. sets legislative requirements for organisations processing personal data (referred to under the Act as ‘Data Controllers’). The College will be open and transparent when processing
and using private and confidential information by ensuring we follow the 8 Data Protection
Personal data shall be obtained and processed fairly and lawfully
Personal data shall be obtained only for the specified and lawful purposes
and shall be processed for limited purposes
Personal data shall be adequate, relevant and not excessive in relation to the
purpose for which it is obtained.
Personal data shall be accurate and kept up to date.
Personal data shall not be kept for longer than necessary.
Personal data shall be processed in accordance with the rights of the data
subject under the Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data
Protection Act 2018.
Personal data (manual and electronic) must be kept secure.
Personal data shall not be transferred outside the European Union unless that country provides adequate levels of protection for the rights of the data subject.
The College recognises and understands the consequences of failure to comply with the requirements of the Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018.may result in:
The College may also consider taking action, in accordance with the College’s Disciplinary Procedure, where staff do not comply with the Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Staff will not attempt to gain access to information that is not necessary to hold, know or process. All information which is held will be relevant and accurate for the purpose for which it is required. The information will not be kept for longer than is necessary and will be kept secure at all times.
The College will ensure that all personal or sensitive personal information is anonymised as part of any evaluation of assets and liability assessments except as required by law.
Staff who manage and process personal or sensitive personal information will ensure that it is kept secure and where necessary confidential. Sensitive personal information will only be processed fairly and lawfully and in line with the provisions set out in the Data Protection Act 1998 and General Data Protection Regulation (GDPR) only and processed in accordance with instructions set out by the respective Data Controllers.
The College will ensure that all staff are made aware of the reasons why personal and sensitive personal data is being processed:
The College acknowledges individuals (data subjects) rights under the Data Protection Act to access any personal data held on our systems and in our files upon their request, or to delete and/or correct this information if it is proven to be inaccurate, excessive or out of date.
The College recognises that individuals have the right to make a request in writing and upon payment of a fee, obtain a copy of their personal information, if held on our systems and files.
The College recognises that individuals have the right to prevent data processing where it is causing them damage or distress, or to opt out of automated decision making and stop direct marketing
The College will follow Code of Practice issued by the ICO when developing policies and procedure in relation to data protection.
The College will ensure that Data Processing Agreements are applied to all contracts and management agreements where the College is the data controller contracting out services and processing of personal data to third parties (data processors). The College will ensure this agreement clearly outlines the roles and responsibilities of both the data controller and the data processor.
The College will adhere to and follow the principles of data protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018 when conducting surveys, marketing activities etc., where the College collects, processes, stores and records all types of personal data.
The College will not transfer or share personal information with countries outside of the European Economic Area (EEA) unless that country has a recognised adequate level of protection in place in line with the recommendations outlined in the Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018.
The College will ensure all staff are provided with data protection training and promote the awareness of the College’s data protection and information security policies, procedures and processes.
Complaints relating to breaches of the Data Protection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018./or complaints that an individual’s personal information is not being processed in line.
The College will only share information in accordance with the provisions set out in the
Data Protection Act 1998 and General Data Protection Regulation (GDPR)
Where applicable the College will inform individuals of the identity of third parties to whom we may share, disclose or be required to pass on information to, whilst accounting for any exemptions which may apply under the Data rotection Act 1998 and General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Date of next review: May, 2025
16-17 Grand Arcade, Industrial House, London, N12 0EH
Unit 308a, Third Floor, Balfour House, 741 High Road, Finchley N12 0BP